# Interconnecting your VPCs The following tables show the key considerations when you are interconnecting your VPCs. | **Security VPC with VPC peering** | **Security VPC with AWS Transit Gateway** | **Security VPC with VPN interconnect** | | --- | --- | --- | | Advantages | Disadvantages | Advantages | Disadvantages | Advantages | Disadvantages | | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/interconnecting-vpcs.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/interconnecting-vpcs.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/interconnecting-vpcs.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/interconnecting-vpcs.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/interconnecting-vpcs.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/interconnecting-vpcs.html) | | Client (sends SYN) | AWS Transit Gateway | VPC peering | VPN between VPCs | Solution overview and possible concerns | | --- | --- | --- | --- | --- | | Internet or Direct Connect to service in a single VPC with a public or private subnet. | N/A | N/A | N/A | Traffic traverses internet gateway, or virtual gateway - does not need to cross more than the VPC boundary. VPC acts as designed stub networks. Traffic ingresses from on premises to the AWS Cloud (Direct Connect, VPN). | | Internet or Direct Connect in a VPC with clients in other VPCs (for example, pool members in another VPC), no SNAT. | Yes | No | Yes | AWS Transit Gateway or VPNs allow the traffic to bypass the VPC peering filter that only VPC-assigned CIDRs can pass. VPN solutions will be constrained. No equal-cost multi-path routing (ECMP) (only a single route) and no bandwidth (about 1.2 GB-seconds per tunnel, in general only one tunnel). | | Internet or Direct Connect to a service in a VPC with customers in other VPCs (for example, pool members in another VPC), with SNAT. | Yes (but not required) | Yes | Yes (but not required) | Since the interconnection between the VPCs sees traffic from VPC-assigned CIDRs, any will work. VPN solutions will be constrained. No ECMP (only a single route) and no bandwidth (about 1.2 GB-seconds per tunnel, in general only one tunnel). | | Inside of VPC to service in same VPC. | N/A | N/A | N/A | All traffic constrained to a single VPC. Interconnection is not required. | | Inside of one VPC to a service VPC. Service is in the destination VPC CIDR. | Yes (but not required) | Yes | Yes (but not required) | Since the interconnection between the VPCs sees traffic from VPC-assigned CIDRs, any will work. | | Inside of one VPC to a service VPC. Service is outside the VPC CIDR range. | Yes | No | Yes | Since the interconnection between the VPCs sees traffic from VPC-assigned CIDRs, any will work. VPN solutions will be constrained. No ECMP (only a single route) and no bandwidth (about 1.2 GB-seconds per tunnel, in general only one tunnel). | | Inside of a single VPC to an internet service. | N/A | N/A | N/A | Traffic is from a VPC-assigned CIDR, if Elastic IP, NAT, or route table constructs are inline then traffic will flow. | | Inside of a VPC to an internet service, routing out through a security or inspection VPC. | Yes | No | Yes | Since the interconnection between the VPCs sees traffic from outside a VPC-assigned CIDR range, VPC peering cannot be used. VPN solutions will be constrained. No ECMP (only a single route) and no bandwidth (about 1.2 GB-seconds per tunnel, in general only one tunnel). |